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Abstract.  In  this  paper,  we  concentrate  on  synthesis  of  real-time  programs  modeled  by  Alur 
and  Dill  timed  automata  for  automatic  addition  of  different  types  of  time-bounded  liveness 
properties.  Time-bounded  liveness  (also  called  time-bounded  response)  -  that  something 
good  will  happen  soon,  in  a  certain  amount  of  time  -  captures  a  wide  range  of  requirements 
for  specifying  real-time  and  embedded  systems.  We  show  that  the  problem  of  automatic  ad¬ 
dition  of  a  time-bounded  liveness  property  to  a  given  timed  automaton  while  maintaining 
maximal  nondeterminism  is  NP-hard  in  the  size  of  locations  of  the  input  automaton.  Fur¬ 
thermore,  we  show  that  by  relaxing  the  maximality  requirement  we  can  devise  a  sound  and 
complete  algorithm  that  adds  a  time-bounded  liveness  property  to  a  given  timed  automaton, 
while  preserving  its  existing  Mtl  specification.  This  synthesis  method  is  useful  in  adding 
properties  that  are  later  discovered  as  a  crucial  part  of  a  program.  Moreover,  we  show  that 
addition  of  interval  time-bounded  liveness,  where  the  good  thing  should  not  happen  sooner 
than  a  certain  amount  of  time,  is  also  NP-hard  in  the  size  of  locations  even  without  maximal 
nondeterminism.  Finally,  we  show  that  adding  time-bounded  and  interval  time-bounded  as 
well  as  unbounded  liveness  properties  are  all  PsPACE-complete  in  the  size  of  the  input  timed 
automaton. 

Keywords:  Program  transformation,  Program  synthesis,  Timed  automata,  Real-time, 
Bounded  liveness,  Bounded  response,  Formal  methods. 

1  Introduction 

Automated  program  synthesis  is  the  problem  of  designing  an  algorithmic  method  to  find  a  pro¬ 
gram  that  satisfies  a  required  behavior.  Such  automated  synthesis  is  desirable,  as  it  ensures  that  the 
synthesized  program  is  correct  by  construction.  The  synthesis  problem  has  mainly  been  studied 
in  two  contexts:  synthesizing  programs  from  specification,  where  the  entire  specification  is  given, 
and  synthesizing  programs  from  existing  programs  along  with  a  fully  or  partially  available  new 
specification.  In  approaches  where  the  entire  specification  must  be  available,  changes  in  specifi¬ 
cation,  e.g.,  addition  of  a  new  property,  requires  us  to  begin  from  scratch.  By  contrast,  in  the  latter 
approach,  it  is  possible  to  reuse  an  existing  program  (and,  hence,  the  previous  efforts  made  for 
synthesizing  the  existing  program).  Since  it  may  not  be  possible  to  anticipate  all  the  necessary 
required  properties  at  design  time,  this  approach  is  especially  useful  in  program  maintenance, 
where  the  program  needs  to  be  modified  to  add  a  new  property  of  interest. 

In  order  to  add  a  new  property  of  interest  to  a  program  there  are  two  ways:  (1)  comprehensive 
redesign ,  where  the  designer  introduces  new  behaviors  (e.g.,  by  introducing  new  variables,  or 
adding  new  computation  paths),  or  (2)  local  redesign ,  where  the  designer  removes  behaviors  that 
violate  the  property  of  interest,  but  does  not  add  any  new  behaviors.  While  the  former  requires  the 

1  This  work  was  partially  sponsored  by  NSF  CAREER  CCR-0092724,  DARPA  Grant  OSURS01-C-1901, 
ONR  Grant  N00014-01-1-0744,  NSF  grant  EIA-0130724,  and  a  grant  from  Michigan  State  University. 
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designer  to  verify  all  other  properties  of  the  new  program,  the  latter  ensures  that  certain  existing 
properties  (e.g.,  Ltl  and  Mtl)  are  preserved.  Local  redesign  is  especially  applicable  when  the 
original  program  is  designed  manually,  e.g.,  for  ensuring  that  the  original  program  is  efficient. 
Moreover,  with  this  approach,  existing  computations  are  preserved  and,  hence,  it  has  the  potential 
to  preserve  the  efficiency  of  the  original  program. 

Depending  upon  the  choice  of  formulation  of  the  problem  and  expressiveness  of  specifica¬ 
tions  and  programs,  the  class  of  complexity  of  synthesis  methods  varies  from  polynomial  time 
to  undecidability.  In  this  paper,  we  focus  on  complexity  issues  in  synthesis  methods  that  add 
properties  typically  used  for  specifying  timing  constraints  in  real-time  programs  using  local  re¬ 
design.  Precisely,  we  identify  the  cases  where  the  complexity  of  such  addition  is  manageable. 
More  specifically,  we  study  the  problem  of  incremental  addition  of  time-bounded  liveness  prop¬ 
erties  (also  called  time-bounded  response )  -  that  something  good  will  happen  soon,  in  a  certain 
amount  of  time  -  to  Alur  and  Dill  timed  automata  [1],  while  preserving  their  existing  Metric  Tem¬ 
poral  Logic  (Mtl)  specification  [2],  This  method  will  be  especially  desirable  when  an  existing 
system  is  to  be  modified  so  that  it  meets  new  timing  constraints  (respectively,  stronger  timing 
constraints). 

1.1  Related  Work 

In  the  context  of  untimed  systems,  in  the  pioneering  work  [3,4],  the  authors  propose  methods 
for  synthesizing  the  synchronization  skeleton  of  programs  from  their  temporal  logic  specifica¬ 
tion.  More  recently,  in  [5-7],  the  authors  investigate  algorithmic  methods  to  locally  redesign 
fault-tolerant  programs  using  their  existing  fault-intolerant  version  and  a  partially  available  spec¬ 
ification.  In  [8],  the  authors  introduce  a  synthesis  algorithm  that  adds  UNITY  properties  [9]  such 
as  leads-to  (which  is  an  unbounded  liveness  property)  to  untimed  programs. 

Synthesis  of  real-time  programs  has  mostly  been  formulated  in  the  context  of  timed  controller 
synthesis  from  game  theoretical  perspective.  In  the  early  works  [10-12],  the  authors  investigate 
the  problem,  where  the  given  program  (also  called  plant )  is  given  by  a  deterministic  timed  au¬ 
tomaton  and  the  specification  is  modelled  as  a  deterministic  internal  winning  condition  on  the 
state  space  of  the  plant.  The  authors  also  assume  that  the  controller  can  use  unlimited  resources 
(i.e.,  the  number  of  new  clocks  and  guards  that  compare  the  clocks  to  constants).  Similarly,  in  [13], 
the  authors  solve  the  reachability  problem  in  timed  games.  Deciding  the  existence  of  a  winning 
condition  with  the  formulation  presented  in  [10-13]  is  shown  to  be  ExPTlME-complete  in  [14], 

In  [15, 16],  the  authors  address  the  problem  of  synthesizing  timed  controllers  with  limited 
resources.  Similar  to  the  aforementioned  work,  the  plant  is  modelled  by  a  deterministic  timed 
automaton,  but  the  specification  is  given  by  an  external  nondeterministic  timed  automaton  that  de¬ 
scribes  undesired  behavior  of  the  plant.  With  this  formulation,  the  synthesis  problem  is  2EXPTIME- 
complete.  However,  if  the  given  specification  remains  nondeterministic,  but  it  describes  desired 
behavior  of  the  plant  the  problem  turns  out  to  be  undecidable. 

In  [17],  the  authors  propose  a  synthesis  method  for  timed  games,  where  the  game  is  modelled 
as  a  timed  automaton,  the  winning  condition  is  described  by  TCTL-formulae,  and  unlimited  re¬ 
sources  are  available.  In  [18],  the  authors  consider  concurrent  two-person  games  given  by  a  timed 
automaton  played  in  real-time  and  provide  symbolic  algorithms  for  solving  them  with  respect  to 
all  w-regular  winning  conditions.  In  both  approaches,  deciding  the  existence  of  a  winning  strategy 
is  ExPTlME-complete. 

1.2  Contributions 

The  point  of  departure  of  our  work  from  the  above  related  work  is  as  follows.  In  our  work,  we 
(i)  consider  the  case  where  the  entire  specification  of  the  program  is  not  given  to  the  synthesis 
algorithm;  and  (ii)  model  the  notion  of  program  by  nondeterministic  timed  automata.  In  fact,  we 
study  how  the  level  of  nondeterminism  affects  the  complexity  of  synthesis  methods.  High  level  of 
nondeterminism  increases  the  potential  of  success  in  later  manipulations  such  as  adding  another 
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time-bounded  liveness  property  to  the  transformed  program.  Furthermore,  unlike  the  related  work, 
we  model  specifications  in  Mtl.  Moreover,  the  aim  of  our  study  is  to  identify  the  class  of  com¬ 
plexity  of  automated  addition  of  different  types  of  time-bounded  liveness  properties  and  possibly 
devising  algorithms  that  can  be  used  in  tools  for  synthesizing  real-time  programs. 

The  main  results  in  this  paper  are  as  follows: 

-  We  show  that  adding  a  time-bounded  liveness  property  while  maintaining  maximal  nondeter¬ 
minism  is  NP-hard  in  the  size  of  locations  of  the  given  timed  automaton. 

-  Based  on  the  above  result  and  the  NP-hardness  of  adding  two  time-bounded  liveness  prop¬ 
erties  without  maximal  nondeterminism  2,  we  focus  on  addition  of  a  single  time-bounded 
liveness  property  to  a  time  automaton  without  maximal  nondeterminism.  In  fact,  we  present 
a  surprising  result  that  by  dropping  the  maximality  requirement  we  can  devise  a  simple  sound 
and  complete  transformation  algorithm  that  adds  a  time-bounded  liveness  property  to  a  timed 
automaton.  The  algorithm  also  ensures  that  the  input  timed  automaton  continues  to  satisfy  its 
existing  Mtl  properties.  Since  our  algorithm  is  complete,  if  it  fails  to  synthesize  a  program 
then  it  informs  the  designer  a  more  comprehensive  (and  expensive)  approach  must  be  used. 
Moreover,  since  the  complexity  of  our  algorithm  is  comparable  with  that  of  model  checking, 
the  algorithm  has  the  potential  to  provide  timely  insight  to  the  designer  about  how  the  given 
program  needs  to  be  modified  to  meet  the  required  time-bounded  liveness  property.  Thus,  in 
this  paper,  we  extend  the  results  presented  in  [8]  to  the  context  of  real-time  programs. 

-  We  show  that  adding  interval  time-bounded  liveness ,  where  the  good  thing  should  not  happen 
sooner  than  a  certain  amount  of  time,  is  also  NP-hard  in  the  size  locations  of  the  given  timed 
automaton  even  without  maximal  nondeterminism. 

-  We  show  that  the  problems  of  adding  time-bounded  and  interval  time-bounded  as  well  as 
unbounded  liveness  (also  called  leads-to )  properties  are  all  PsPACE-complete  in  the  size  of 
the  input  timed  automaton. 

Table  1  compares  the  complexity  of  our  approach  and  other  synthesis  methods  in  the  literature. 


Adding  Bounded  Liveness 
(This  paper) 

Direct  Synthesis  from  Mtl 

[19] 

Timed  control  synthesis 
[15,16] 

Timed  games 
[10,12,13,17,18] 

PSPACE -complete 

EXPS  PACE -complete 

2EXPTIME -complete 

Exptime -complete 

Table  1.  Complexity  of  different  approaches  for  synthesizing  real-time  systems. 


Organization  of  the  paper.  In  Section  2,  we  present  the  preliminary  concepts.  In  Section  3,  we 
formally  state  the  problem  of  addition  of  an  Mtl  property  to  an  existing  real-time  program.  We 
describe  the  NP-hardness  result  for  adding  time-bounded  liveness  with  maximal  nondeterminism 
in  Section  4.  Then,  in  Section  5,  we  present  a  sound  and  complete  algorithm  for  adding  time- 
bounded  liveness  to  timed  automata  without  maximal  nondeterminism.  In  Section  6,  we  present 
the  complexity  of  addition  of  interval  time-bounded  liveness  and  unbounded  liveness  properties. 
In  Section  7,  we  answer  the  potential  questions  raised  about  our  approach.  Finally,  we  make  the 
concluding  remarks  and  discuss  future  work  in  Section  8. 

2  Preliminaries 

In  this  section,  we  present  the  preliminary  concepts  and  formal  definitions  of  real-time  programs 
and  specifications.  Real-time  programs  are  modeled  by  Alur  and  Dill  timed  automata  [1],  Speci¬ 
fications  are  modeled  by  Metric  Temporal  Logic  (Mtl)  [2], 

2  In  [8],  it  is  shown  that  adding  two  unbounded  liveness  properties  to  an  untimed  program  is  NP-hard.  The 
same  proof  can  be  easily  extended  to  the  problem  of  adding  two  time-bounded  liveness  properties  to  a 
timed  automaton. 
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Let  AP  be  a  set  of  atomic  propositions.  A  state  is  a  subset  of  AP.  A  timed  state  sequence  is  an 
infinite  sequence  of  pairs  (a,  r)  =  (cto,  To),  (or,  ti)...,  where  cti  ( i  £  N)  is  a  state  and  7y  £  K>o 
satisfies  the  following  constraints: 

1.  Initialization',  to  =  0. 

2.  Monotonicity:  Ti  <  t*+i  for  all  i  £  N. 

3.  Progress:  For  all  t  £  M>o,  there  exists  j  such  that  Tj  >  t. 

2.1  Metric  Temporal  Logic 

We  briefly  recap  the  syntax  and  semantics  of  point-based  Mtl.  Linear  Temporal  Logic  (Ltl) 
specifies  the  qualitative  part  of  a  program.  Mtl  introduces  real  time  by  constraining  temporal 
operators,  so  that  one  can  specify  the  quantitative  part  as  well.  For  instance,  the  constrained  even¬ 
tually  operator  0[i,3]  is  interpreted  as  “eventually  within  1  to  3  time  units  both  inclusive”. 
Syntax.  Formulae  of  Mtl  are  inductively  defined  by  the  grammar:  <j>  ::=  p  |  ->(p  |  Ai  A 
4> 2  |  where  p  £  AP  and  I  C  R>0  is  an  open,  closed,  half-open,  bounded,  or  un¬ 

bounded  interval  with  endpoints  in  Z> o.  For  simplicity,  we  use  0 /</>  and  □/</>  instead  of  trueUif 
and  -i ()i~«f>.  We  also  use  pseudo-arithmetic  expressions  to  denote  intervals.  For  instance,  “<  4” 
means  [0,4]. 

Semantics.  For  an  Mtl  formula  (f>  and  a  timed  state  sequence  (a,  t)  =  (cto,  to),  (cti,  ti)...,  the 
satisfaction  relation  (ay,  7y)  |=  <j>  is  defined  inductively  as  follows: 

(ct*,t*)  |=  p  iff  ay  |=  p  (oy  \=  p  iff  p  £  CTj  and  we  say  oy  is  ap-state); 

|=  —'(/>  iff  (CTi,Tj)  (j>\ 

(ct*,  Tj)  \=  (pi  A  </>2  iff  (ct,:,  Tj)  |=  (pi  A  (CTj,  Tj)  1=  4>2 

( CTj,  t* )  |=  (j)\Ui(j)2  iff  there  exists  j  >  i  such  that  Tj  —  t*  £  I  and  (ct*/  ,  Tj/)  |=  <f> i  for  all  i', 
where  i  <  i'  <  j,  and  (cry,  Tj)  ]=  fa 

A  timed  state  sequence  (ct,  t)  satisfies  the  formula  (/>  if  (cto,  to)  ]=  </>. 

The  formula  tp  defines  a  set  S  of  timed  state  sequences  that  satisfy  A.  We  call  this  set  a 
specification  (or  property).  In  this  paper,  we  focus  on  a  standard  class  of  properties  of  real-time 
programs  defined  as  follows.  An  interx’al  time-bounded  liveness  (or  interval  time-bounded  re¬ 
sponse)  property  is  of  the  form  Cj  =  D(p  — >•  0[5X ,52] <?),  where  p,q  £  AP  and  61,82  £  2>o; 
i.e.,  it  is  always  the  case  that  a  p-state  is  followed  by  a  g-state  within  62,  but  not  sooner  than  S\ 
time  units.  A  special  case  of  Ci  is  in  which  61  =  0  known  as  time-bounded  liveness  property 
and  is  of  the  form  Cb  =  0(p  — >  < )<sq );  i.e.,  it  is  always  the  case  that  a  p-state  is  followed  by  a 
q- state  within  5  time  units.  Furthermore,  an  unbounded  liveness  (or  leads-to)  property  is  defined 
as  Coo  =  n(p  0[o,oo)<z);  i-e,  it  is  always  the  case  that  a  p-state  is  eventually  followed  by  a 
g-state. 

2.2  Timed  Automata 

For  a  set  of  clock  variables  X ,  the  set  <1'  ( X )  of  clock  constraints  p  is  inductively  defined  by  the 
grammar: 

ip  ::=  T<c|a:>c|a:<c|a:>c|<^Ay? 

where  x  £  X  and  c  £  Z>o-  A  clock  valuation  is  a  function  v  :  X  — >  R>o  that  assigns  a  real  value 
to  each  clock  variable.  Furthermore,  for  t  £  R>o,  v  +  t  =  v{x)  +  t  for  every  clock  x.  Also,  for 
Y  C  X,  v\Y  :=  0]  denotes  the  clock  valuation  for  X  which  assigns  0  to  each  x  £  Y  and  agrees 
with  v  over  the  rest  of  the  clock  variables  in  X. 

Definition  2.1.  A  timed  automaton  A  is  a  tuple  (L.  L°,  ip,  X,  E),  where 

—  L  is  a  finite  set  of  locations, 

-  L°  C  L  is  a  set  of  initial  locations. 
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-  ip  :  L  — >  2ap  is  a  labeling  function  assigning  to  each  location  the  set  of  atomic  propositions 
true  in  that  location, 

-  X  is  a  finite  set  of  clocks,  and 

-  E  C  (L  x  2X  x  $(Ar)  x  L)  is  a  set  of  switches.  A  switch  (so,  A,  <p,  s  i)  represents  a  transition 

from  location  so  to  location  si  under  clock  constraint  p  over  X,  such  that  it  specifies  when 
the  switch  is  enabled.  The  set  A  C  X  gives  the  clocks  to  be  reset  with  this  switch.  □ 

The  semantics  of  a  timed  automaton  is  as  follows.  A  state  of  a  timed  automaton  is  a  pair  (s,  v), 
such  that  s  is  a  location  and  v  is  a  clock  valuation  for  X  at  location  s.  The  labeling  function  for 
states  is  defined  by  t/>'((s,  v))  =  tp(s).  Thus,  if  p  £  s  is  a  p-location  (i.e.,  s  |=  p)  and 

(s,  v)  is  a  p-state  for  all v.  Since  the  domain  of  clock  variables  ranges  over  the  real  numbers,  the 
state  space  of  A  is  infinite.  An  initial  state  of  A  is  ( Sinit ,  t'init)  where  Smit  £  L°  and  olrnt  maps 
the  value  of  all  clocks  in  X  to  0.  Transitions  of  A  are  of  the  form  (so,  t'o)  — >  (si,  vfi).  They  are 
classified  into  two  types: 

-  Delay  (elapse  of  time):  for  a  state  (s,  v)  and  a  time  increment  r  £  R>o,  (A,  v)  -A  ( s,o  +  t ). 

-  Location  switch:  for  a  state  (so,  v)  and  a  switch  (so,  A,  <p,  si)  such  that  v  satisfies  the  clock 
constraint  ip,  (so,  v)  — >  (si,  v[\  :=  0]). 

We  use  the  well-known  railroad  crossing  problem  from  the  literature  as  a  running  demonstra¬ 
tion  throughout  the  paper.  The  original  problem  comprised  of  three  timed  automata,  but  we  only 
consider  the  TRAIN  automaton  (cf.  Figure  1-a).  The  TRAIN  automaton  models  the  behavior  of 
a  train  approaching  a  railroad  crossing.  Initially,  the  train  is  far  from  the  gateway  of  the  crossing. 
It  announces  approaching  the  gateway  by  resetting  the  clock  variable  x.  The  train  is  required  to 
start  crossing  the  gateway  after  at  least  2  minutes.  It  passes  the  gateway  at  least  3  minutes  after 
approaching  the  gateway.  Finally,  there  is  no  constraint  on  reaching  the  initial  location. 

We  now  define  what  it  means  for  a  timed  automaton  A  to  satisfy  an  Mtl  specification 
E.  An  infinite  sequence  (so,vo,'t'o),  where  r,;  £  R>o,  is  a  computation  of  A  iff 

Vj  >  0  :  (sj-i,Vj-i)  — >  ( Sj,Vj )  is  a  transition  of  A  and  the  sequence  rori...  satisfies  initial¬ 
ization,  monotonicity,  and  progress.  We  write  A  \=  E  and  say  that  timed  automaton  A  satis¬ 
fies  specification  E  iff  every  computation  of  A  that  starts  from  an  initial  location  is  in  E.  Thus, 
A  1=  (D(p  — >  (}<sq))  iff  any  computation  of  A  that  reaches  a  p-state,  reaches  a  g-state  within  <5 
time  units.  If  A  ^  E,  we  say  A  violates  E. 


(a)  (b) 


Fig.  1.  (a)  TRAIN  automaton,  (b)  Region  automaton  of  TRAIN  automaton. 
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2.3  Region  Automata 

Given  a  timed  automaton  A(L,  L°,  ip,  X,  E),  to  check  whether  a  location  si  is  reachable  from 
another  location  so,  we  must  determine  if  there  is  a  computation  that  starts  from  so  and  reaches 
si  in  the  infinite  state  space.  The  solution  to  this  reachability  problem  involves  construction  of 
a  finite  quotient  proposed  in  [1],  This  construction  uses  an  equivalence  relation,  called  region 
equivalence  (denoted  =),  on  the  state  space  that  equates  two  states  with  the  same  location,  is 
defined  over  the  set  of  all  clock  valuations  for  X.  For  two  clock  valuations  v  and  p,  v  =  //  iff: 

1.  \/x  £  X  :  (([^(a;)J  =  [p{x)\)  V  (v{x),  pt{x)  >  cx)). 

2. Mx,y£X  :  ((is(x)  <  cx  A  u{y)  <  cy))  :  {(v{x))  <  (u(y))  iff  {p{x))  <  (p{y))). 

3.  \/x  £  X  :  v{x)  <  cx  :  {{v(x))  =  0  iff  {p{x))  =  0). 

where  cx  is  the  largest  integer  c,  such  that  x  is  compared  with  c  in  some  clock  constraint  in  A,  (r) 
denotes  the  fractional  part,  and  |_tJ  denotes  the  integral  part  of  r  and  for  any  r  £  R>q.  A  clock 
region  for  A  is  an  equivalence  class  of  clock  valuations  induced  by  =.  Note  that,  there  are  only 
finite  number  of  regions.  Also,  region  equivalence  is  a  time-abstract  bisimulation  [1], 

A  region  is  a  pair  ( s ,  p),  where  s  is  a  location  and  p  is  a  clock  region.  If  s  is  ap-location,  we  say 
that  (s,  p)  is  a  p-region.  Using  the  region  equivalence  relation,  we  construct  the  region  automaton 
of  A  (denoted  f?(„4))  as  follows.  Vertices  of  R{A)  are  regions.  Edges  of  11(A)  are  of  the  form 
(s0,po)  — >  (si,pi)  iff  for  some  clock  valuations  uq  €  po  and  v\  £  pi,  (s 0,^0)  — * >  (si,ia)  is 
a  transitions  of  A.  We  note  that,  the  size  of  a  region  automaton  is  in  polynomial  (respectively, 
exponential)  order  of  its  corresponding  timed  automaton,  space-wise  (respectively,  time-wise). 
Figure  1-b  shows  the  region  automaton  of  the  TRAIN  automaton. 

We  say  a  region  (so,po)  of  region  automaton  R(A)  is  a  deadlock  region  iff  for  all  regions 
(si,  Pi),  there  does  not  exist  an  edge  of  the  form  (so,  po)  — >  (si,  pi). 

A  clock  region  (3  is  a  time-successor  of  a  clock  region  a  iff  for  each  v  £  a,  there  exists 
t  £  K>o,  such  that  v  +  r  £  (3,  and  v  +  t'  £  a  U  /3  for  all  r'  <  r.  We  call  a  region  (s,  p) 
a  boundary  region ,  if  for  each  v  £  p  and  for  any  r  £  R>o,  v  and  u  +  t  are  not  equivalent.  A 
region  is  open,  if  it  is  not  a  boundary  region.  A  region  (s,  p)  is  called  end  region,  if  u(x)  >  cx 
for  all  clocks  x.  For  instance,  in  Figure  1-b,  {APPRO ACHING,  x  =  2)  is  a  boundary  region, 
{CROSSING,  3  <  x  <  4)  is  an  open  region,  and  {PASSED,  x  >  4)  is  an  end  region. 

3  Problem  Statement 

Given  are  a  timed  automaton  A(L,  L°,ip,  X,  E)  and  an  Mtl  property  C  (either  Ci,Cb ,  or  Coo). 
Our  goal  is  to  find  a  timed  automaton  A'  {L' ,  L'°,  ip'  ,X' ,  E'),  such  that  A'  \=  C  and  for  any  Mtl 
specification  £,  if  A  |=  S  then  A!  |=  S. 

We  now  explain  how  we  formulate  the  problem.  Since  we  require  that  A'  |=  S,  if  IJ  contains 
locations  that  are  not  in  L,  then  A'  may  include  computations  that  are  not  in  S  and  as  a  result.  A' 
may  violate  S.  Hence,  we  require  that  L'  C  L  and  L'°  C  L°.  Moreover,  if  E'  contains  switches 
that  are  present  in  E,  but  are  guarded  by  weaker  timing  constraints,  or  E'  contains  switches  that 
are  not  present  in  E  at  all  then  A'  may  include  computations  that  are  not  in  E.  Hence,  we  require 
that  E'  contains  a  switch  (sq,  A,  p' ,  sp),  if  there  exists  (so.  A,  tp,  Si)  in  E,  such  that  <p'  is  stronger 
than  p.  Furthermore,  extending  the  state  space  of  A  by  introducing  new  clock  variables  under  the 
above  circumstances  is  legitimate.  Finally,  we  require  ip'  to  be  equivalent  to  ip.  Thus,  the  synthesis 
problem  is  as  follows: 

Problem  Statement  3.1.  Given  A(L,  L° ,ip,  X,  E)  and  an  Mtl  property  £,  identify 
A' (L' ,  L'°,  ip',X',  E')  such  that 

(Cl)  L'  C  L,  Lm  C  L° 

{C  2)  iPr  =  iP 

{c 3)  icr 
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(C4)  V(s0,  A,  p' ,  si)  i|  (s0,  A,  ip',  si)  £  E'  : 

(3  (s0,  A,  v?,  si)  |  (s0)  A,  p,  si)  £  E  :  (p'  =>  tp)) 

(C5)  A!  \=  C 

(C6)  For  any  Mtl  specification  E:  ((A  |=  E)  =>  (A/  |=  E))  □ 

Note  that,  based  on  Problem  Statement  3.1,  since  we  allow  synthesis  methods  to  remove  states 
and  transitions  of  a  timed  automaton,  such  methods  are  appropriate  to  analyze  linear  types  of 
temporal  logic  such  as  Mtl.  In  fact,  constraints  of  Problem  Statement  3.1  do  not  suffice  to  reason 
about  existential  properties  of  a  program  expressed  in  branching-time  temporal  logics  such  as 
Tctl.  We  will  discuss  this  issue  in  Section  7  (cf.  second  question)  in  detail. 

Remark  3.2.  The  results  in  this  paper  can  be  easily  extended  to  the  case  where  all  initial  lo¬ 
cations  are  preserved  in  the  synthesized  automaton.  We  discuss  this  issue  in  detail  in  proofs  of 
theorems  5.1  and  5.2,  and  in  Remark  5.3. 

4  Adding  Time-Bounded  Liveness  Properties  with  Maximal 
Nondeterminism 

In  this  section,  we  show  that  the  synthesis  problem  in  Problem  Statement  3.1  for  adding  a  time- 
bounded  liveness  property  while  maintaining  maximal  nondeterminism  is  NP-hard  in  the  size 
of  locations  of  the  input  timed  automaton.  We  show  this  result  by  a  reduction  from  the  Vertex 
Splitting  Problem  [20]  in  directed  acyclic  graphs  (DAG). 

Given  a  timed  automaton  A  and  property  £b  =  D(p  — >  ( )<gq ),  we  say  that  the  synthesized 
timed  automaton  A'  is  maximally  nondeterministic  iff  A!  meets  all  the  constraints  of  Problem 
Statement  3.1  and  its  set  of  transitions  is  maximal.  Maintaining  maximal  nondeterminism  is  de¬ 
sirable  in  the  sense  that  it  increases  the  potential  for  further  successful  manipulations  of  a  syn¬ 
thesized  program.  Note  that,  although  we  defined  maximality  in  terms  of  transitions  of  a  timed 
automaton,  one  may  define  it  in  terms  of  reachable  locations  or  behaviors  of  a  timed  automaton. 
We  discuss  this  issue  in  Section  7  in  detail. 

The  DAG  Vertex  Splitting  Problem  (DVSP).  Let  G(V,  A)  be  a  weighted  DAG  and  vs,  vt  be 
arbitrary  source  and  target  vertices  in  G.  Let  G/Y  denote  the  DAG  when  each  vertex  v  G  Y  is 
split  into  vertices  vm  and  vout  such  that  all  arcs  ( v ,  u)  £  A,  where  u  £  V,  are  replaced  by  arcs 
of  the  form  ( v°ut,u )  and  all  arcs  (w,v)  £  A,  where  w  £  V,  are  replaced  by  arcs  of  the  form 
(w,  vm).  In  other  words,  the  outgoing  arcs  of  v  now  leave  vertex  vout  while  the  incoming  arcs 
of  v  now  enter  vm,  and  there  is  no  arc  between  vln  and  vout.  The  DAG  vertex  splitting  problem 
is  to  find  a  vertex  set  Y ,  where  Y  C  V  and  Y|  <  i  (for  some  positive  integer  i),  such  that  the 
length  of  the  longest  path  of  G/Y  from  vs  to  vt  is  bounded  by  a  prespecified  value  d.  In  [20],  the 
authors  show  that  DVSP  is  NP-hard. 

We  now  show  that  the  problem  of  adding  of  a  time-bounded  liveness  property  while  main¬ 
taining  maximal  nondeterminism  is  NP-hard. 

Instance.  A  timed  automaton  A(L,L°,ip,X,E),  a  time-bounded  liveness  property  Cb  - 
D(p  — >  0 <sq),  and  a  positive  integer  k,  where  \E\  >  k. 

Maximally  Nondeterministic  Time-bounded  Liveness  Addition  Problem  (MNTLAP).  Does 
there  exist  a  timed  automaton  A' (L’ ,  L'°,  E'),  such  that  | E'\  >  k  and  A!  meets  the  con¬ 

straints  of  Problem  Statement  3.1? 

Theorem  4.1:  MNTLAP  is  NP-hard  in  the  size  of  locations  of  the  input  timed  automaton. 
Proof.  We  reduce  DVSP  to  MNTLAP.  The  reduction  maps  a  weighted  DAG  G(V,  A)  and  inte¬ 
gers  d  and  i  to  a  timed  automaton  A  and  integers  5  and  /,:,  respectively. 

Mapping.  Let  G(V,  A)  be  any  instance  of  DVSP  whose  longest  path  is  to  be  bounded  by  d.  Let 
1(a)  be  the  length  of  arc  a  €  A.  We  construct  a  timed  automaton  A  as  follows  (cf.  Figure  2).  Each 
vertex  v  £  V  is  mapped  to  a  pair  of  locations  vln  and  vout  in  A.  The  set  of  initial  locations  of 
A  is  the  singleton  L°  =  {u*"},  where  vs  is  the  source  vertex  in  G.  Switches  of  A  consist  of  two 
types  of  switches  as  follows: 
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(x  =  l(a))?,x:=  0 


Fig.  2.  Mapping  DVSP  to  MNTLAP. 


(a:=0)? 

-  We  include  switches  of  the  form  vm  - *  vout  for  all  v  in  V.  The  clock  constraint  (x  =  0) 

is  used  to  force  computations  of  A  not  to  wait  at  location  vm. 

-  We  add  2\V\  number  of  parallel  switches  of  the  form  vout  - — — : — >  uin,  for  all  arcs 

a  =  (v,  u)  G  A  of  length  1(a). 

Let  the  set  of  clock  variables  of  A  be  the  singleton  X  =  {x}.  Finally,  let  v™  \=  p ,  v°ut  |=  q, 
k  =  i,  and  6  =  d.  Other  locations  may  satisfy  arbitrary  atomic  propositions  except  p  and  q. 
Reduction.  We  need  to  show  that  vertex  v  G  Y  in  G  must  be  split  if  and  only  if  the  switch 

(rE=0)? 

vm - »  vout  must  be  removed  from  A.  We  distinguish  two  cases: 


-  DVSP  — >  MNTLAP :  Suppose  the  answer  to  DVSP  is  the  set  Y,  where  |Y|  <  i.  Hence,  by 
splitting  all  v  €  Y  the  length  of  the  longest  path  of  G  is  at  most  d.  Now,  we  show  that  we  can 
synthesize  a  timed  automaton  A!  from  the  mapped  timed  automaton  A(L,  {vlsn},  ip,  {x},  E) 

(21— 0)? 

as  an  answer  to  MNTLAP.  It  is  easy  to  see  that  if  we  remove  switches  of  the  form  vln - L 

v°ut  (for  all  v  £  Y)  from  E  to  obtain  E' .  the  maximum  delay  between  locations  v *n  and  v°ut 
in  A!  becomes  at  most  5.  Recall  that,  S  =  d  and  i  =  k.  Therefore,  A'  \=  Cb  and  \E'\  >  k. 
Other  constraints  of  Problem  Statement  3.1  are  immediately  met  by  construction  of  A! . 

-  MNTLAP  — >  DVSP:  Suppose  the  answer  to  MNTLAP  is  A' (L' ,  L'°.  ip' ,  {x},  E'),  where 
|  LI' |  >  k  and  the  maximum  delay  to  reach  v°ut  from  v *n  is  at  most  S.  Note  that,  L,a  = 
{u“},  as  vzsn  is  the  only  initial  location  of  A.  Since  the  number  of  switches  removed  from 
E  is  at  most  k  and  k  is  at  most  V  \ ,  we  could  not  have  removed  switches  of  the  form 

vout  - — — : — >  uin.  This  is  because  there  are  2\V\  of  such  switches  and  their  removal 

would  not  change  the  maximum  delay.  Hence,  we  should  have  removed  switches  of  the  form 


(x— 0)? 

Vm  - L  vout  from  E  to  bound  the  maximum  delay.  These  switches  actually  identify  the 

setY  of  vertices  that  should  be  split  in  G;  i.e,  Y  =  {u  |  (v  £  V)  A  (vm,vout)  €  (E—E')}.  It 
is  easy  to  see  that  by  removing  the  set  Y  from  V  the  length  of  the  longest  path  of  G  becomes 
at  most  d.  □ 


5  Adding  Time-Bounded  Liveness  Properties  without  Maximal 
Nondeterminism 

In  this  section,  we  show  that  by  relaxing  the  maximality  constraint,  we  can  solve  the  problem  de¬ 
fined  in  Problem  Statement  3.1  in  polynomial  time  in  the  size  of  locations  of  the  input  timed  au¬ 
tomaton.  More  specifically,  we  present  a  sound  and  complete  algorithm  that  adds  a  time-bounded 
liveness  property  to  a  given  timed  automaton,  while  preserving  its  existing  Mtl  specification. 
Since  our  synthesis  algorithm  constructs  and  manipulates  a  specific  weighted  directed  graph  in¬ 
troduced  by  Courcoubetis  and  Yannakakis  as  a  solution  to  the  maximum  delay  problem  in  timed 
automata  [21],  we  review  this  problem  in  Subsection  5.1.  In  Subsection  5.2,  we  describe  our 
synthesis  algorithm. 

5.1  The  Maximum  Delay  Problem  in  Timed  Automata 

The  maximum  delay  problem  is  as  follows.  Given  a  timed  automaton  A,  a  source  location  and 
clock  valuation,  what  is  the  latest  time  that  a  target  location  can  appear  along  a  computation  of 
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A ?  For  our  purpose,  we  extend  the  proposed  solution  in  [21]  to  the  case  where  a  set  of  source  and 
target  locations  are  given. 

The  algorithm  in  [21]  works  as  follows.  First,  we  construct  the  region  automaton  R{A)  ( S ,  T), 
where  S  is  the  set  of  regions  and  T  is  the  set  of  edges.  Then,  we  transform  the  region  automaton  to 
an  ordinary  weighted  directed  graph  (called  MaxDelay  digraph).  Let  the  subroutine  Construct- 
MaxDelayGraph  do  this  transformation  as  follows. 

Construction  of  MaxDelay  digraph.  The  subroutine  ConstructMaxDelayGraph  takes  a  re¬ 
gion  automaton  R(A)(S,T)>  a  set  X  of  source  regions,  and  a  set  Y  of  target  regions,  where 
X,Y  C  S,  as  input,  and  constructs  a  MaxDelay  digraph  G(V.  A).  Vertices  of  G  consist  of  the 
regions  in  R{A)  with  the  addition  of  a  source  vertex  vs  and  a  target  vertex  Vt- 
Notation :  We  denote  the  weight  of  an  arc  (vq ,  Vj )  by  Weight (vq,Vi).  Let  /  denote  a  function 
that  maps  each  region  in  R(A)  to  its  corresponding  vertex  in  G;  i.e.,  f(r)  is  a  vertex  of  G  that 
represents  region  r  in  R(A).  Also,  let  /-1  denote  the  inverse  of  /;  i.e.,  /_1(i>)  is  the  region  of 
R(A)  that  corresponds  to  vertex  v  in  G.  Likewise,  let  F  he  a  function  that  maps  a  set  of  regions 
in  R(A)  to  the  corresponding  set  of  vertices  in  G  and  F_1  be  its  inverse.  Finally,  for  a  boundary 
region  r  with  respect  to  clock  variable  x,  we  denote  the  value  of  x  by  r.x  (equal  to  some  constant 
in  Z>0). 

Arcs  of  G  consist  of  the  following: 

-  Arcs  of  weight  0  from  vs  to  all  vertices  in  F(X),  and  from  all  vertices  in  F{Y)  to  vt. 

-  Arcs  of  weight  0  from  vo  to  v\,  if  /-1(u o)  — >  /_1(fi)  is  a  location  switch  in  i?(„4). 

-  Arcs  of  weight  d  —  c,  where  c,  d  €  Z>o  and  d  >  c,  from  vo  to  iq,  if  f~1(vo)  and  /-1(u i) 
are  both  boundary  regions  with  respect  to  clock  variable  Xi,  such  that  /-1(v o)-%i  =  c, 
f~1(v\).Xi  =  d,  and  there  is  a  path  in  R,(A)  from  f~1(vo)  to  /_1(w i),  which  does  not 
reset  x\ .  It  suffices  to  only  consider  the  case  where  d  —  c  =  1. 

-  Arcs  of  weight  d  —  c  —  e,  where  c,d  €  Z>o,  d  >  c,  and  e  -C  1,  from  Vq  to  V\  ,  if  (1) 
f~\v0)  is  a  boundary  region  with  respect  to  clock  variable  Xi,  (2)  /_1(ui)  is  an  open  region 
whose  time-successor  f~1(v 2)  is  a  boundary  region  with  respect  to  clock  variable  a;,,  (3) 
/_1(i>o)  — ►  /_1(u  1)  represents  a  delay  transition  in  R(A),  and  (4)  f~1(vo).Xi  =  c  and 
f~1(,V2)-Xi  =  d .  Again,  it  suffices  to  only  consider  the  case  where  d  —  c  =  1. 

-  Self-loop  arcs  of  weight  00  at  vertex  v,  if  /-1(u)  is  an  end  region. 

In  order  to  compute  the  maximum  delay  between  X  and  Y,  it  suffices  to  find  the  longest 
distance  between  vs  and  nt  in  G.  Note  that,  strongly  connected  components  reachable  from  vs 
containing  an  arc  of  nonzero  weight  cause  maximum  delay  of  infinity.  As  an  example.  Figure  3 
shows  the  MaxDelay  digraph  the  TRAIN  automaton.  The  dotted  arcs  are  a  specific  type  of  arcs 
and  will  be  discussed  in  Subsection  5.2. 

5.2  The  Synthesis  Algorithm 

In  this  subsection,  we  present  a  sound  and  complete  algorithm,  AdcLBoundedLiveness  (cf. 
Figure  4),  for  solving  the  synthesis  problem  presented  in  Problem  Statement  3.1  with  respect  to 
Cb  =  0(p  — ►  ()<sq).  The  core  of  the  algorithm  is  straightforward.  It  begins  with  an  empty 
digraph.  Then,  it  invokes  the  subroutine  ConstructSubgraph,  which  builds  up  a  subgraph  of  the 
MaxDelay  digraph  by  adding  paths  of  length  at  most  S  that  start  from  the  set  of  vertices  that 
represents  /> regions  in  G  to  the  set  of  vertices  that  represents  g-regions.  Finally,  it  adds  the  rest 
of  vertices  and  arcs  while  ensuring  that  no  new  paths  from  /> regions  to  (/-regions  are  introduced. 
In  order  to  ensure  completeness,  the  algorithm  preserves  /(-regions. 

We  now  describe  the  algorithm  in  detail.  First,  in  order  to  keep  track  of  time  whenever  p 
becomes  true,  we  add  an  extra  clock  variable  t  to  A  as  a  timer.  Moreover,  the  maximum  value 
that  t  would  be  compared  with  is  6  (lines  1-3).  Note  that,  since  the  length  of  a  path  in  MaxDelay 
digraph  is  equal  to  the  time  elapsed  along  regions,  our  algorithm  works  correctly  even  if  t  is  reset 
in  between  a  p-state  and  a  g-state  (e.g.,  a  computation  that  goes  from  a  p-state  to  a  (-ip)-state,  then 
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Fig.  3.  MaxDelay  digraph  of  TRAIN  automaton. 

again  to  a  p-state,  and  finally  to  a  g-state).  Next,  we  construct  the  region  automaton  R(A)  (S,  T ), 
where  S  is  the  set  of  regions  and  T  is  the  set  of  edges  (Line  4). 

Notation :  Since  a  location  s  £  L  may  appear  in  a  set  of  regions,  in  order  to  determine  the  source 
and  target  regions  for  computing  maximum  delay,  we  need  to  identify  those  regions  where  p  and 
q  become  true.  The  function  g  :  AP  — *  2s  calculates  a  set  of  such  regions  for  an  arbitrary  atomic 
proposition  ap  as  follows: 

g(ap)  =  {(sr, pr)  |  (si  |=  ap)  A 

(3  (s0,p0)  |  (((so,Po),  (si,pi))  €  T)  :  (s0  ^  ap))} 

We  now  reduce  our  problem  to  the  problem  of  bounding  the  length  of  longest  path  in  ordinary 
weighted  digraphs.  Towards  this  end,  we  first  generate  the  MaxDelay  digraph  G(V,  A)  (Line  6), 
as  described  in  Subsection  5.1.  Then,  we  invoke  the  subroutine  ConstructSubgraph  (Line  7), 
where  we  construct  a  subgraph  of  G,  which  meets  the  required  response  time. 

The  subroutine  ConstructSubgraph  (lines  20-32)  takes  a  MaxDelay  digraph  G  and  two 
integers  5  and  n  as  input.  It  generates  a  subgraph  G'  whose  longest  path  from  vs  to  cf  is  bounded 
by  S.  Recall  that  vs  and  Vt  are  additional  source  and  target  vertices  connected  to  F(g(p))  and 
F(g(q)),  respectively.  Since  enumerating  all  paths  from  vs  to  vt  to  test  their  lengths  costs  an 
exponential  exhaustive  search,  we  begin  with  an  empty  digraph  and  add  a  certain  number  of  paths 
in  polynomial  order  of  S'|.  To  this  end,  first,  we  include  the  shortest  path  from  each  vertex  in 
F(g(p))  to  vt,  provided  its  length  is  at  most  S  (lines  21-24).  In  case  there  exists  a  vertex  v  in 
F{g{p) )  from  where  there  does  not  exist  such  a  path  to  Vt,  f~x{v)  becomes  a  deadlock  region. 

In  order  to  increase  the  level  of  nondeterminism,  we  now  include  additional  n  shortest  paths 
whose  length  is  at  most  S.  However,  every  time  we  add  a  path,  we  need  to  test  that  this  path  does 
not  create  new  paths  of  length  greater  than  <5  or  cycles  containing  an  edge  of  nonzero  weight  (lines 
25-29).  One  can  interpret  the  integer  n,  as  a  level  of  nondeterminism;  i.e.,  the  more  paths  we  add, 
the  more  nondeterminism  we  gain  in  the  synthesized  timed  automaton.  Next,  we  can  safely  add 
the  rest  of  the  vertices  and  arcs  to  G'  (lines  30-32)  while  ensuring  that  no  new  paths  are  added 
from  vs  to  vt  . 

After  invoking  ConstructSubgraph,  we  transform  G'  back  to  a  region  automaton  R{A) 
(lines  8-10).  Next,  due  to  pruning  some  vertices  and  arcs  in  ConstructSubgraph,  we  remove 
deadlock  regions  from  R(A)  using  a  backward  reachability  analysis  (lines  11,  12).  However,  in 
order  to  ensure  that  this  removal  does  not  break  the  completeness  of  our  algorithm,  we  should 
consider  the  case  where  a  q-region  r0  becomes  a  deadlock  region.  In  this  case,  it  is  possible  that 
all  the  regions  along  a  path  that  starts  from  a  region  in  g(p)  and  ends  at  rf}  become  deadlock 
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Add_BoundedLiveness(^4(L,  L°,  ip,  X ,  E)  :  timed  automata,  n  :  integer,  Cb  =  □  (;£>  — ►  0<a<?)) 

{ 

X  =  XU  {t}; 
ct  <5; 

V(s0,  A,  ip,  s i)  |  (<s0,  A,  ip,  si)  G  E  A  (s0  P  A  [=  p))  :  A  :=  A  U  {£}; 

R(A)(S,  T)  :=  ConstructRegion Automaton (^4); 

Repeat 

IsQRemoved  := false', 

G(V,  A)  :=  ConstructMaxDelayGraph(i?(^4),  g(p),  g(q))\  \\  Defined  in  Subsection  5.1 

G' (V' ,  A')  :=  ConstructSubgraph(G,  S,  n); 

R(A’){S',T')  :={}; 

S'  :=  F~1(V'); 

T‘  :=  {(r0,ri)  |  (r0,r i)  G  T  A  (/(r0),/(r i))  G  A'}  U 

{(r-i ,  r-2)  |  (ri,  r2)  G  T  A  (/(r  i),  f(r2))  £  A'  A 
3r0  :  Weight(f  (ro),  / (ri))  =  1  -  e}; 

while  (3r0  |  r0  G  S'  :  (Vn  |  n  G  S'  :  (r0,  ri)  £  T')) 

S'  :=  S'  -  {r0};T'  :=  T'  -  {(r,  r0),  (r0>  r)  |  r  G  S'}; 
if  r o  G  g(q)  then 

IsQRemoved  :=  true ; 

S  :=  S  —  -{Vo};  T  :=  T  —  {(r,  ro),  (ro,  r)  \  r  €  5};  break; 
until  (IsQRemoved  =  false); 

if  {(s,  p)  \  (s,  p)  e  S'  A  s  e  L°  A  (Vx,  v  \  (is  e  p  A  x  e  X)  :  is(x)  —  0)}  —  {}  then 

declare  failure;  exit; 

A'  :=  ConstructTimedAutomata(i?(^4/)); 

return  A' ; 

} 

ConstructSubgraph(G(  V,  A)  :  Max  Del  ay  digraph,  S,  n  :  integer) 

{ 

G'{V',A')  =  {}; 

for  all  vertices  v  such  that  (vs  ■  t’J  G  A 

if  the  length  the  shortest  path  V  from  v  to  v ,  is  at  most  S  then 
V'  :=  V'  U  {u  \  u  is  on  V}\ 

A'  A'  U  {a  \  a  is  on  P}; 

for  k  =  1  to  n 

if  adding  the  fcth  shortest  path  does  not  create  other  paths  of  length 
greater  than  S  or  cycles  containing  an  edge  of  nonzero  weight  then 
V  :  =  the  fcth  shortest  path  of  G  from  vs  to  vt ; 

V'  :=  V'  U  { u  |  u  is  on  V}\ 

A'  :=  A'  U  {a  \  a  is  on  P}; 

A'  ~  A'  U  {(tr,  v)  (»,ti)Gd  A  (u  £  V'  V  ( u ,  vt)  6  A')}; 

V  (V'  U  (u  I  (3n  :  (u,  v)  G  A'  V  (ti,»)  G  A')})  —  {us ,  vt }; 
return  G'  (V' ,  A')\ 
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Fig.  4.  The  synthesis  algorithm  for  adding  time-bounded  liveness. 

regions.  Thus,  we  need  to  find  another  path  from  that  region  in  g(p)  to  a  region  in  g(q)  other  than 
ro  -  Hence,  we  remove  ro  from  the  set  of  regions  of  the  original  region  automaton  R(A)  and  start 
over  (lines  14,  15).  In  case  the  removal  of  deadlock  regions  leaves  no  initial  regions,  the  algorithm 
declares  failure  and  terminates  (lines  16,  17).  Otherwise,  it  constructs  the  timed  automaton  A'  out 
of  R(A')  (lines  18,  19)  and  terminates  successfully. 

As  a  demonstration,  let  us  consider  the  TRAIN  automaton  presented  in  Section  2  (cf.  Figure  1  - 
a).  Our  goal  is  to  bound  the  delay  of  revisiting  the  initial  location  by  at  most  4  minutes.  To  this  end, 
we  add  the  property  Cb  =  □( APPROACHING  — >  ()<i  FA  R)  to  the  TRAIN  automaton.  Since 
the  automaton  already  contains  a  clock  that  gets  reset  upon  entering  the  location  APPROACHING, 
we  do  not  add  an  extra  clock.  However,  we  should  have  cx  =  4  when  generating  the  region 
automaton  (cf.  Figure  1-b).  Next,  we  construct  the  MaxDelay  digraph  (cf.  Figure  3).  In  Figure  3, 
the  dotted  arcs  contribute  in  violating  the  required  response  time.  On  the  other  hand,  the  solid  arcs 
do  not  violate  Cb-  It  is  easy  to  observe  that  by  choosing  n  =  12,  ConstructSubgraph  includes  all 
computations  that  satisfy  Cb-  The  rest  of  the  procedure  is  constructing  the  new  region  automaton 
(cf.  Figure  5-a)  and  then  the  final  timed  automaton  (cf.  Figure  5-b),  which  is  straightforward  . 
Theorem  5.1:  The  algorithm  AdcLBoundedLiveness  is  sound. 
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(a) 


(b) 


Fig.  5.  (a)  Synthesized  region  automaton  (b)  Synthesized  TRAIN  automaton. 


Proof.  We  show  that  the  timed  automaton  synthesized  by  AdcLBoundedLiveness  meets  the 
constraints  of  Problem  Statement  3.1: 

-  Constraints  C1...C3:  It  is  easy  to  observe  that  the  algorithm  Add_Boundedl_iveness  only 
removes  locations  of  A.  Hence,  L'  C  L  and  L'°  C  L°.  Note  that,  pruning  regions  only 
change  the  guards  of  the  associated  switches  and  it  does  not  affect  reconstruction  of  A!  such 
that  L 1  C  L.  Also,  we  add  an  extra  clock  variable  t.  Hence,  X  C  X'.  Furthermore,  the 
algorithm  does  not  touch  the  labels  of  locations  and,  hence,  'tA  =  tp. 

-  Constraint  C 4:  The  subroutine  ConstructSubgraph  may  only  remove  regions  or  edges  from 
a  region  automaton.  This  removal  either  removes  a  switch  from  the  original  timed  automaton 
completely  or  makes  some  regions  unreachable,  which  in  turn  strengthens  the  guard  of  one 
or  more  switches.  Hence,  the  set  of  switches  of  A!  meets  the  constraint  C 4. 

-  Constraint  C 5:  The  subroutine  ConstructSubgraph  ensures  that  the  maximum  delay  of 
any  computation  that  starts  from  a  region  in  g(p)  and  reaches  a  region  in  g{q)  is  finite  and 
bounded  by  the  required  response  time  in  Cb •  Hence,  we  are  assured  that  the  synthesized 
timed  automaton  satisfies  Cb- 

-  Constraint  C 6:  The  algorithm  removes  deadlock  regions  from  R(A').  In  other  words,  it  en¬ 

sures  all  computations  of  A!  are  infinite.  Moreover,  from  constraints  Cl  ...(74,  it  follows  that 
the  algorithm  does  not  introduce  new  computations  to  A! .  Thus,  the  set  of  computations  of 
A!  is  a  subset  of  the  set  of  computations  of  A  and,  hence,  for  all  Mtl  specifications  £,  if 
A  |=  £  then  A’  \=  £  as  well.  □ 

Theorem  5.2:  The  algorithm  AdcLBoundedLiveness  is  complete. 

Proof.  In  order  to  prove  the  completeness,  we  show  that  any  initial  location  removed  from  the 
synthesized  automaton  must  be  removed.  Observe  that  when  a  p- region  is  removed,  there  is  no 
path  from  that  region  to  a  ^/-region  where  the  delay  is  at  most  6.  It  follows  that  such  a  region 
must  be  removed  in  any  timed  automaton  that  satisfies  the  constraints  of  Problem  Statement  3.1. 
Furthermore,  if  removal  of  such  a  region  causes  another  region  to  become  a  deadlock  region  then 
that  region  must  be  removed  for  satisfying  the  constraint  C 5.  Continuing  thus,  if  an  initial  region 
becomes  a  deadlocked  region  then  it  must  be  removed.  Our  algorithm  declares  failure  when  all 
initial  locations  are  removed.  Based  on  the  above  discussion,  in  this  case,  any  timed  automaton 
that  satisfies  the  constraints  of  Problem  Statement  3.1  cannot  contain  any  of  the  initial  locations 
from  L°.  Since  this  is  a  contradiction,  it  follows  that  when  Add_BoundedLiveness  declares 
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failure,  no  solution  exists  for  the  given  instance.  Therefore,  AdcLBoundedLiveness  is  complete. 

□ 

Remark  5.3.  If  we  were  to  preserve  all  initial  locations  (cf.  Remark  3.2)  then  the  algorithm  is 
modified  in  this  fashion  where  all  initial  locations  are  preserved  and  the  remaining  constraints 
from  Problem  Statement  3.1  are  satisfied.  However,  the  core  of  the  above  proofs  still  hold.  To 
show  soundness,  in  addition  to  those  constraints,  we  need  to  check  wether  all  initial  locations  are 
present.  The  completeness  proof  remains  unchanged. 

Theorem  5.4:  The  algorithm  Add_BoundedLiveness  is  in  P  in  the  size  of  region  automata. 
Proof.  The  core  of  the  algorithm  is  reachability  analysis  for  a  timed  automaton.  Deciding  reach¬ 
ability  of  a  location  in  timed  automata  is  in  P  in  the  size  of  the  region  automaton  [21].  Moreover, 
our  synthesis  algorithm  involves  finding  shortest  paths  and  the  k  shortest  paths  in  an  ordinary 
weighted  digraph.  Eppstein  [22]  proposes  an  algorithm  that  finds  the  k  shortest  paths  (allowing 
cycles)  in  time  0(m  +  nlogrc  +  k),  where  n  is  the  number  of  vertices  and  m  is  the  number  of 
arcs  of  a  given  digraph.  Note  that,  we  require  that  k  must  be  in  polynomial  order  of  the  number  of 
locations  of  the  input  timed  automaton.  Hence,  one  can  implement  a  synthesis  algorithm  which 
runs  in  polynomial  time  in  the  qualitative  part  (locations),  and  polynomial  space  in  the  quantita¬ 
tive  part  of  the  input  (timing  constraints).  □ 

Corollary  5.5:  The  problem  of  adding  a  time-bounded  liveness  property  to  a  timed  automaton 
is  in  PSPACE  in  the  size  of  the  input  timed  automaton.  □ 

6  Adding  Interval  Time-Bounded  and  Unbounded  Liveness  Properties 

We  first  consider  automatic  addition  of  an  interval  time-bounded  liveness  property  Ci  =  □(/>  — > 
to  a  timed  automaton,  where  <5i  >  0.  As  an  intuition,  let  us  use  the  algorithm 
AdcLBoundedLiveness  to  add  £/.  Since  the  required  response  time  has  a  lower  bound,  the 
subroutine  ConstructSubgraph  has  to  enumerate  and  ignore  all  the  paths  whose  lengths  are  less 
than  <5i .  Since  there  may  exist  many  of  these  paths,  this  enumeration  cannot  be  done  in  polynomial 
time  in  the  size  of  region  automata. 

Theorem  6.1:  The  problem  of  adding  an  interval  time-bounded  liveness  property  to  a  timed 
automaton  is  NP-hard  in  the  size  of  locations  of  the  input  timed  automaton. 

Proof.  The  proof  is  a  simple  reduction  from  the  longest  path  problem  [23]  to  an  instance  of  the 
problem,  where  Ci  =  D(p  — ►  0[<5i,oo)Of)-  Figure  6  illustrates  the  mapping  of  a  digraph  G  to  a 
timed  automaton  A.  It  is  easy  to  see  that  if  G  has  a  path  of  length  at  least  Si  from  a  source  vertex 
vs  to  a  target  vertex  vt  then  A  can  be  transformed  to  a  timed  automaton  A'  whose  delay  from  vs 
to  vt  is  at  least  <5i  time  units  and  vice  versa.  □ 

mapping  x  := 


Fig.  6.  Mapping  the  longest  path  problem  to  addition  of  interval  time-bounded  liveness. 

Next,  we  discuss  the  problem  of  addition  of  unbounded  liveness  (also  called  leads-to)  proper¬ 
ties. 

Theorem  6.2:  The  problem  of  addition  of  an  unbounded  liveness  property  to  a  timed  automaton 
is  PsPACE-complete  in  the  size  of  the  input  timed  automaton. 

Proof.  Since  this  problem  is  an  instance  of  adding  time-bounded  liveness,  membership  to 
PSPACE  follows  from  Corollary  5.5  immediately.  We  now  show  that  the  problem  is  PSPACE- 
hard.  To  this  end,  we  reduce  the  reachability  problem  in  timed  automata  [21]  to  an  instance  of  our 
problem.  In  the  reachability  problem,  our  goal  is  to  check  whether  a  location  si  is  reachable  from 
another  location  so  in  a  given  timed  automaton. 

Mapping.  Let  the  timed  automaton  A  be  any  instance  of  the  reachability  problem.  We  map  A  to 
an  instance  of  our  problem  as  follows.  Let  A*  be  an  automaton  identical  to  A  with  the  following 
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modifications.  Let  so  |=  p  and  si  |=  q.  Other  locations  of  A*  may  satisfy  arbitrary  atomic  propo¬ 
sitions  except  p  and  q.  Let  so  be  the  only  initial  location  of  A*.  We  also  add  a  self-loop  at  si. 
Reduction.  If  si  is  reachable  from  so  in  A  then  there  exists  a  computation  in  A*  that  starts  from 
so  and  ends  at  si.  A  timed  automaton  A!  constructed  from  this  computation  plus  the  self-loop 
at  si  satisfies  and  meets  the  constraints  of  Problem  Statements  3.1.  Now,  we  show  the  other 
direction.  Let  us  assume  that  the  answer  to  the  decision  problem  is  affirmative  and  we  can  syn¬ 
thesize  a  timed  automaton  A!  from  A*  such  that  A !  \=  Coo-  Then  A!  should  contain  both  so  and 
si.  This  means  that  si  is  reachable  from  So-  Otherwise,  A'  would  not  satisfy  □ 

Since  an  unbounded  liveness  property  is  an  instance  of  time-bounded  and  interval  time- 
bounded  liveness  properties,  problems  of  adding  those  properties  are  also  PsPACE-hard.  This 
result  is  also  valid  about  addition  problems  with  maximal  nondeterminism  constraint,  as  syn¬ 
thesizing  a  timed  automaton  with  at  least  one  edge  is  an  instance  of  the  problem  with  maximal 
nondeterminism. 

Corollary  6.3:  The  problems  of  adding  time-bounded  and  interval  time-bounded  as  well  as 
unbounded  liveness  properties  to  a  timed  automaton  with  or  without  maximal  nondeterminism 
are  all  PSPACE-complete  in  the  size  of  the  input  timed  automaton.  □ 

Remark  6.4.  The  time  complexity  of  adding  an  unbounded  liveness  property  to  a  timed  automa¬ 
ton  with  maximal  nondeterminism  in  terms  of  transitions  remains  open  in  this  paper.  However, 
we  refer  the  reader  to  [8],  where  the  authors  introduce  a  synthesis  algorithm  for  adding  leads-to 
properties  to  an  untimed  program,  while  maintaining  maximal  nondeterminism  in  terms  of  states 
of  the  given  program. 

We  summarize  the  complexity  of  problems  of  addition  of  different  types  of  liveness  properties 
in  Table  2. 

7  Discussion 

In  this  section,  we  address  some  of  the  questions  raised  about  the  formulation  of  the  problem  and 
the  synthesis  method  presented  in  Section  5. 

1-  How  does  our  work  fit  in  the  context  of  related  work? 

Our  formulation  of  the  problem  (cf.  Section  3)  is  different  from  those  in  [10-12, 15-17].  Intu¬ 
itively,  we  manipulate  a  timed  automaton  inside  its  state  space,  so  that  it  satisfies  a  newly  desired 
property.  By  contrast,  in  [15, 16],  the  goal  is  synthesizing  a  timed  controller  (which  is  a  timed 
automaton  itself),  such  that  its  synchronized  product  with  the  plant  satisfies  a  given  specification. 
Hence,  this  formulation  requires  both  plant  and  controller  to  be  deterministic  timed  automata, 
whereas  in  our  model,  we  synthesize  nondeterministic  timed  automata  even  with  a  specified  level 
of  nondeterminism.  Furthermore,  in  [10-12],  the  winning  condition  is  given  on  the  state  space  of 
the  plant,  whereas  in  our  approach,  the  new  property  is  an  external  Mtl  formula.  Moreover,  in 
this  paper,  our  goal  is  to  study  the  complexity  issues  and  develop  algorithms  for  adding  various 
types  of  a  specific  class  of  Mtl  properties  that  (we  believe)  can  capture  a  wide  range  of  require¬ 
ments  for  specifying  real-time  programs.  In  fact,  the  complexity  of  our  algorithm  is  less  than 
those  in  [10-12, 15-17]  (cf.  tables  1,  2).  Of  course,  this  is  achieved  at  the  cost  of  expressiveness 
of  specifications. 

2-  After  removing  a  subset  of  computations,  how  can  we  claim  that  the  synthesized  timed  automa¬ 
ton  continues  to  satisfy  its  old  specification? 

This  is  because  we  consider  a  linear  type  of  temporal  logic.  As  mentioned  in  Section  2,  an 
Mtl  formula  £  defines  a  set  of  timed  state  sequences.  Note  that,  an  automaton  A  satisfies  speci¬ 
fication  £  iff  all  computations  of  A  are  in  £.  Hence,  a  subset  of  computations  of  A  satisfies  £  as 
well.  In  the  context  of  the  algorithm  AdcLBoundedLiveness,  although  it  excludes  some  of  the 
computations,  since  it  ensures  that  all  computations  are  infinite  (by  removing  deadlock  regions), 
it  continues  to  satisfy  its  old  Mtl  specification.  A  possible  confusion  is  that  “the  given  program 
(before  synthesis)  does  not  satisfy  the  time-bounded  liveness  property  C ,  but  it  does  satisfy  £ 


Complexity  Issues  in  Automated  Addition  of  Time-Bounded  Liveness  Properties 


15 


after  synthesis”.  Note,  however,  that  “a  program  does  not  satisfy  £”  cannot  be  expressed  as  “the 
program  satisfies  £'”,  where  £'  is  an  Mtl  property.  Also,  if  a  given  program  satisfies  -> £  then 
no  computation  of  the  program  satisfies  £  and,  hence,  it  is  not  possible  to  synthesize  a  program 
that  satisfies  £.  In  such  a  case,  the  algorithm  AdcLBoundedLiveness  declares  failure.  The  same 
problem  cannot  be  defined  by  branching-time  temporal  logics  (e.g.,  Tctl),  as  “a  program  does 
not  satisfy  £”  can  be  expressed  as  “the  program  satisfies  £'”,  where  £'  is  a  Tctl  property. 

3-  In  Section  4 ,  we  defined  maximality  in  terms  of  reachable  transitions.  What  are  the  other 
alternatives  to  model  nondeterminism? 

It  is  also  possible  to  define  maximal  nondeterminism  in  terms  of  reachable  locations  or  be¬ 
haviors.  However,  various  definitions  does  not  change  the  NP-harness  result.  In  fact,  many  of  the 
edge  and  vertex  deletion  problems  are  known  to  be  NP-hard  [20,24,25].  In  particular,  in  case 
of  maximal  reachable  locations,  one  can  easily  reduce  the  vertex  deletion  problem  [20]  to  our 
synthesis  decision  problem.  Moreover,  in  case  of  maximal  number  of  behaviors,  one  can  develop 
a  reduction  from  the  kth  shortest  path  problem  [23]. 

4-  How  can  we  improve  the  state  space  explosion  problem  in  our  algorithm? 

Generation  of  detailed  region  automaton  is  usually  not  efficient.  Zone  automata  [26]  is  a  more 
efficient  finite  representation  of  timed  automata  used  in  model  checking  techniques.  Since  our 
goal  was  to  evaluate  complexity  classes  for  adding  time-bounded  liveness,  we  focused  on  region 
automata.  However,  an  interesting  improvement  step  is  modifying  AdcLBoundedLiveness,  so 
that  it  manipulates  a  zone  automaton  rather  than  a  detailed  region  automaton. 


Time-Bounded  Liveness 

Unbounded  Liveness 

Interval  Time-Bounded  Liveness 

Maximal 

(Sec.  4) 

NonMaximal 

(Sec.  5) 

Maximal 

(Sec.  6) 

NonMaximal 

(Sec.  6) 

(Sec.  6) 

NP-hard 

P 

see  Rem.  6.4 

P 

NP-hard 

Table  2.  Complexity  of  adding  liveness  properties  in  the  size  of  region  automata. 


8  Conclusion  and  Future  Work 

In  this  paper,  we  focused  on  the  problem  of  automatic  addition  of  different  types  of  time-bounded 
liveness  properties  (also  called  bounded  response)  to  a  timed  automaton,  while  preserving  its 
existing  Metric  Temporal  Logic  (Mtl)  specification.  Unlike  specification-based  methods,  in  our 
approach,  we  start  with  an  existing  program  rather  than  specification  and,  hence,  the  previous 
efforts  made  for  synthesizing  the  input  program  are  reused. 

First,  we  showed  the  problem  of  addition  of  a  time-bounded  liveness  property  to  a  timed 
automaton  while  maintaining  maximal  nondeterminism  is  NP-hard  in  the  size  of  locations  of  the 
input  automaton.  Then,  we  presented  a  simple  sound  and  complete  transformation  algorithm  that 
adds  a  time-bounded  liveness  property  to  a  timed  automaton  (without  maximal  nondeterminism), 
such  that  the  automaton  continues  to  satisfy  its  existing  Mtl  specification.  The  complexity  of  the 
algorithm  is  polynomial  in  the  size  of  locations  of  the  input  timed  automaton.  Furthermore,  we 
showed  that  the  problem  of  addition  of  interval  time-bounded  liveness  properties  is  also  NP-hard. 
Moreover,  we  showed  that  adding  time-bounded  and  interval  time-bounded  as  well  as  unbounded 
liveness  properties  are  all  PsPACE-complete  in  the  size  of  the  input  timed  automaton. 

In  many  hard  real-time  systems  (e.g.,  mission-critical  systems)  meeting  deadlines  in  the  pres¬ 
ence  of  faults  is  a  necessity.  As  future  work,  we  plan  to  study  the  problem  of  automatic  addition 
of  fault-tolerance  to  existing  fault-intolerant  real-time  programs.  More  specifically,  we  plan  to  ex¬ 
tend  the  theory  of  automated  addition  of  fault-tolerance  to  untimed  programs  [5-7]  to  the  context 
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of  real-time  programs.  In  particular,  we  will  study  how  bounded-time  recovery  can  be  achieved 

in  the  presence  of  faults  using  the  results  presented  in  this  paper. 
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